Or, when life gives you apples, use Linux
Seemingly harder to remove with every eye-glazing gist and thread... A mac plagued with an is_mdm_removable=false Mobile Device Management profile: the worst! 🙂
First, boot into recovery mode by rebooting while holding down the Command & R keys.
At this stage, you'll need to connect to the internet briefly to download the recovery OS. This provides a few tools including like disk utility, support, an osx reinstaller- at the top menu, you'll find an option to access a terminal.
Once in there, you'll want to:
Disable SIP:
csrutil disableThen reboot:
reboot nowWhile holding down Command + Option + P + R to start afresh with cleared NVRAM.
Reboot once again while holding down the Command & R keys to return to the recovery OS. Reinstall whatever version of OSX it offers- instead of trying to deal with the slippery, network connected DEP plists & binaries contained within the various LaunchAgents and LaunchDaemons found in the /System/Library directories directly, we'll let Apple finish with the ConfigurationProfiles first, then sneak in and remove them.
While this stuff is cooking, get yourself a usb stick and a penguin, such as Budgie:
wget -nd http://cdimage.ubuntu.com/ubuntu-budgie/releases/20.04.1/release/ubuntu-budgie-20.04.1-desktop-amd64.iso
umount /dev/sdc 2>/dev/null || true
sudo dd if=ubuntu-budgie-20.04.1-desktop-amd64.iso of=/dev/sdc bs=1048576 && syncBoot up again, this time holding the Option key for the bootloader menu. Once in the live usb system, make sure you can read Apples HFS filesystem:
sudo apt-get install hfsprogsFor me at least, I needed to run a quick fsck to fix up the headers before I could mount the osx filesystem living at /dev/sda2 (sda1 is the efi partition):
sudo fsck.hfsplus /dev/sda2Now, lets go in there and remove those ConfigurationProfiles:
mkdir badapple
sudo mount -o force /dev/sda2 badapple
cd badapple
sudo rm -rf private/var/db/ConfigurationProfiles/*🙂
Could you please go into a little more step-by-step on how to do this? I understand until you get to the Budgie part. I downloaded it, now do what with it? Some more plain English directions, please. Thank you!
Sure!
You’ll first want to burn that Budgie disk image to an external drive of some kind, like a thumb drive. The method in my post just uses the built in `dd` utility in Mac’s terminal; If you’ve inserted a single usb stick into your mac, the command:
umount /dev/sdc 2>/dev/null || true
sudo dd if=ubuntu-budgie-20.04.1-desktop-amd64.iso of=/dev/sdc bs=1048576 && sync
…would burn the “ubuntu-budgie-20.04.1-desktop-amd64.iso” disk image onto usb device “/dev/sdc”.
Lots of other ways to do this too, like with this nifty tool https://www.balena.io/etcher/
Then, by rebooting while holding the “option” key you’ll be able to boot into Budgie instead of Mac OS from the usb stick. Wait for everything to load, might take a while. Ignore any install or welcome prompts if from Budgie if it asks, instead go straight to the `Tilix` shell by hitting the “Command” key then typing in “Tilix” and then hitting “Enter”.
From here:
sudo apt-get install hfsprogs -y
– This driver lets budgie know how to read apple’s hfs file system.
sudo fsck.hfsplus /dev/sda2
– This normalizes the volume headers in the main Mac OS partition.
mkdir badapple
– This command makes a new folder in Budgie, where we’ll mount that Mac OS partition
sudo mount -o force /dev/sda2 badapple
– this mounts everything in that main Mac partition in the new folder /badapple/
cd badapple
– here we enter ./badapple/
sudo rm -rf private/var/db/ConfigurationProfiles/*
– here we forcibly delete all ConfigurationProfiles
cd ~
– here we’ve left the ./badapple/ directory
you might then:
sudo umount -f /dev/sda2
sudo shutdown now
…to unmount and shutdown.
Remove the usb stick and reboot.
Hope this helps!
-Jess
Is this a way to remove a MDM profile forever? Or will it still prompt when wiping the disk again.
Cheers Jamie
Hey Jamie,
Yes! By removing the profiles in `private/var/db/ConfigurationProfiles/*` (from a proper shell with permission to do it; this is I’m going in mounting and deleting them from a shell in Budgie / Ubuntu) your mac will no longer have any mdm profile services to talk to, so it shouldn’t be able to get them back 🙂
Cheers!
-Jess
Hello Jess,
Thanks for your reply greatly appreciated.
Does budgie still need to be installed for it too remember that it was removed.
I’m really asking is when I’ve done all this which I’ll try this evening can I wipe everything on mac disk utility and install just mac os big sur so it’s ready too sell on to a new user.
Cheers Jamie
Hey Jamie,
I am using Ubuntu Budgie here from a usb stick (not to be installed on the mac- boot from a usb stick by holding alt/option on startup) just so we can mount –> remove the offending mac os directories from a system privileged to do so (any os will do, just not mac os!). Once the profiles and mdm bits are gone, one hop back over to mac os, upgrade to big sur / catalina etc- the mac should be none the wiser, and should not have any reason to ding the profile service. hope this helps!
Sorry I meant to say “unknown filesystem type apfs”
After I give command;
sudo mount -o force /dev/sda2 badapple
How did you go around that, I tried both formats apfs and extended journaled
Hola Daniel,
From Budgie / Ubuntu, you can install an APFS driver like this:
`sudo apt-get install libfsapfs-utils -y`
Then mount the filesystem like this:
`sudo fsapfsmount -f 1 /dev/sda2 badapple`
Hope this helps,
-Jess
Any way to do this on Big Sur – that has an APFS filesystem?
Hey Frank,
There is a sort of experimental linux driver you can use to mount APFS on debian / ubuntu-
From Budgie / Ubuntu, install it like this:
`sudo apt-get install libfsapfs-utils -y`
Then mount the filesystem like this:
`sudo fsapfsmount -f 1 /dev/sda2 badapple`
Hope this helps!
-Jess
Thanks Jess.
What I ultimately did was this:
https://apple.stackexchange.com/questions/297293/turning-off-device-enrollment-notifications-on-macbook-pro
See the section on Big Sur to Disable MDM notifications.
Thanks for your help.
This was so helpful!
I found a showstopper. If ‘Startup Security Utility’ is set to prohibit booting from external media, it won’t boot from the USB drive.